none
How do you create custom logic for validating a product key as a step in your installer?

    Question

  • I am getting ready to go live with an application, and I am trying to figure out how to put a product key into the installer. I see that it is available via the customer information dialog, but that gets me half way there.  The way I see it, a key is meaningless if it doesn't have a means to prevent it from being reused a million times, but I don't want to have to connect to a server to see if the key has been used before.  I want to do a custom key algorithm based on the date that will let my installer expire keys as time passes.  I know that isn't perfect, because someone could change their system time and keep using a key, but it should be enough for my purposes.  The thing is that I don't know how to do a custom validation algorithm rather than the sum and divide by seven that I am finding is what the default algorithm does. 

     

    So how do you use your own logic for validating a product key?


    All that is gold does not glitter, Not all those who wander are lost
    • Edited by DannyStaten Monday, May 30, 2011 4:59 PM Clarifying the question
    Monday, May 30, 2011 4:32 PM

Answers

All replies

  • Ok so this is the first time where I feel like Microsoft has COMPLETELY THROWN DEVELOPERS UNDER THE BUS.  I have felt extremely satisfied with how well the development tools anticipate and address developers needs at every turn until it comes to this.  From everything I have found, this feels like they are TRYING to make it painful.


    What should be something as simple as editing the properties on your customer information dialog, and being able to write some custom code by clicking on a property's ... button is the most convoluted and painful thing I have ever had to try to do.  After 12 hours of fumbling, fighting and pulling my hair out I am pretty much throwing in the towel and I AM FURIOUS.

    What I have found is:

    1.  You can only add custom validation by creating a dll written in C++.  It has been almost a decade since I messed with C++ and it was not a pleasant experience venturing back into it. 

    2.  Once you get a dll that you have some degree of confidence will properly validate it (being that I tested it through all the means I could devise), you have to manually edit the msi after it is built, and it isn't a simple manual edit.  This is a complicated and easy to break process.

    3.  Editing the msi requires you find orca, which I was unable to find via msdn or microsoft anymore. 

    4.  The kb article that talks about how to do it is even flagged as not supported.

     

    So please please please someone tell me that Microsoft hasn't just thrown developers under the bus on this?  Please someone tell me that there is a better solution out there somewhere than what I found and had to throw in the towel on:
    http://support.microsoft.com/kb/253683

    I tried some with the free AdvancedInstaller, but found that it was crashing on some inputs, and it didn't support some of the templates I want.  I looked into the instalshield option, but my install of it doesn't even work saying it can't find a template.  I also didn't see any indicator that the limited edition that they make available even allows you do do what I am looking to do. 

    I am honestly just completely blown away that MS has left something that should be such an obvious and common thing so TERRIBLY neglected. 


    All that is gold does not glitter, Not all those who wander are lost
    Tuesday, May 31, 2011 2:46 AM
  • Most likely Microsoft though it would be best if the serial number validation was performed by the application instead of the installer. There is also the validation process which differs from installer to installer. If they provided a built-in validation method, it would be easier to crack and a lot of installers would be affected by that crack. This is why you are encouraged to use your own validation DLL.

    Can you please give me more details about the problems you encountered with Advanced Installer? It's serial number validation should work. It even has a how-to for server-side validation if the built-in DLL is not enough.


    Cosmin Pirvu
    Tuesday, May 31, 2011 6:08 AM
  • Hi DannyStaten,

     

    If you use Visual Studio Setup and Deployment projects, you might already know that it is not very good for creating really smart setups we often need. I'd like to share two alternative ways to create installers within Visual Studio IDE:

    + Lexpa - Inno Setup integration for Visual Studio [http://www.lexpa.com]. Creates small and fast installers.

    + Votive - WiX toolset integration for Visual Studio [http://wix.sourceforge.net/votive.html]. Creates MSI-based installers.

    Both add special project type to VS Add New Project dialog and allow you to create setup of any level of difficulty.

    Or:

    http://www.oreans.com/winlicense.php

    http://www.interactive-studios.net/products/qlm.htm

     

    http://stackoverflow.com/questions/453030/how-can-i-create-a-product-key-for-my-c-app

     

    You can do something like create a record which contains the data you want to authenticate to the application. This could include anything you want - e.g. program features to enable, expiry date, name of the user (if you want to bind it to a user). Then encrypt that using some crypto algorithm with a fixed key or hash it. Then you just verify it within your program. One way to distribute the license file (on windows) is to provide it as a file which updates the registry (saves the user having to type it).

    Beware of false sense of security though - sooner or later someone will simply patch your program to skip that check, and distribute the patched version. Or, they will work out a key that passes all checks and distribute that, or backdate the clock, etc. It doesn't matter how convoluted you make your scheme, anything you do for this will ultimately be security through obscurity and they will always be able to this. Even if they can't someone will, and will distribute the hacked version. Same applies even if you supply a dongle - if someone wants to, they can patch out the check for that too. Digitally signing your code won't help, they can remove that signature, or resign it.

    You can complicate matters a bit by using techniques to prevent the program running in a debugger etc, but even this is not bullet proof. So you should just make it difficult enough that an honest user will not forget to pay. Also be very careful that your scheme does not become obtrusive to paying users - it's better to have some ripped off copies than for your paying customers not to be able to use what they have paid for.

    Another option is to have an online check - just provide the user with a unique ID, and check online as to what capabilities that ID should have, and cache it for some period. All the same caveats apply though - people can get round anything like this.

    Consider also the support costs of having to deal with users who have forgotten their key, etc.

     

     

    Or you can try Shareware Starter Kit:

    http://blogs.msdn.com/b/danielfe/archive/2005/07/10/437293.aspx

    http://social.msdn.microsoft.com/forums/en-US/Vsexpressvb/thread/39a42b89-f312-4e15-b218-34e4e1617733/

     

    Or the Serial Key Maker:

    http://www.serialkeymaker.com/how_to_implement_serial_key_maker.aspx

     

    There're also several links would be helpful to you:

    http://www.debugging.com/bug/16115

    http://www.codeproject.com/Answers/159167/csharp-Setup-for-Trial-and-Serial-key.aspx#answer3

    http://www.codeproject.com/KB/install/LicenseKeyGeneration.aspx

    http://www.emoreau.com/Entries/Articles/2007/12/Licensing-a-VBNet-application.aspx

     

    As I mentioned, visual studio built in deployment technical is not suitable for you to request a smart installation package. And the option is according the above information to use others product, rather than research the setup project option.

     

    Or if you also want to do this hard work with visual studio setup project or yourself, you can ref the following several articles:

    http://www.indigorose.com/webhelp/sufwi/HowTo/Add_a_Serial_Number_Validation_Screen_to_Your_Project.htm

    http://helpful-tech-how-to-tips.blogspot.com/2010/05/how-to-validate-serial-number-during.html

    http://www.codeproject.com/KB/security/NbbfArchitecture.aspx

     

    incorporating-license-key-approach-for-a-winforms-app

    algorithm-for-unique-cd-key-generation-with-validation

    how-to-generate-and-validate-a-software-license-key

    Crypto Primer: Understanding encryption, public/private key, signatures and certificates

     

     

    And for other deployment solution(exclude the visual studio setup project and ClickOnce), you can go to their special forum for more expert help to help you achieve your goal easier.

    You can find most of the deployment solution products and their website(forums) form this url:

    http://installsite.org/pages/en/msi/authoring.htm

     

    And if you want ORCA, then you can find it following this document:

    http://msdn.microsoft.com/en-us/library/aa370557(VS.85).aspx

     

    Best wishes,


    Mike [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    Tuesday, May 31, 2011 10:35 AM
  • Hi DannyStaten,
    I am writing to check the status of the issue on your side. 
    What about this problem now? 
    Would you mind letting us know the result of the suggestions?
    Best wishes,

    Mike [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, June 03, 2011 5:20 AM
  • I have opted to go away from product key at install time, and am going to be having them enter it at first launch.  That gives me the flexibility to do things like implement a 30 day trial, and it also keeps me happily in the realms of coding where MS has actually done a great job facilitating developers.

    It really does feel incredibly incongruous to me that the installer creation abilities that are in Visual Studio are so sparse.  Installers are critical for any desktop application developer, and usually MS is great about addressing and empowering developers to do amazing things.  It honestly does feel strange that they didn't work out a means where you can go into a function straight from visual studio's interfaces, and have MS's installer be smart enough to build that function into a little dll, and then handle all the MSI entries etc. 

    To those who mention things like MS isn't in the business of doing installers, I say that MS is in the business of empowering developers, and so it feels strange that they have left installers so badly out of sync with everything else they do provide.  I also ask another question: what isn't MS in the business of doing? 8)

    To the remark that letting you roll your own DLL is more secure, I disagree.  Anyone who knows how to edit an MSI can disconnect that dll, or just create their own and inject it into the installer.  Besides if MS does things right, its built installer could do the same thing, but you would just have a great interface that abstracts the things it should abstract.  Having Visual studio abstract the dll away doesn't mean it would have to be anny different under the core.

     


    All that is gold does not glitter, Not all those who wander are lost
    Friday, June 03, 2011 2:34 PM
  • --> I have opted to go away from product key at install time, and am going to be having them enter it at first launch

    There're more products also use this design to limit the end user use the software.

    This will be implemented easier than do that in the installer.

     

    Best wishes,


    Mike [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Monday, June 06, 2011 5:54 AM
  • Yeah it only took me about 3 hours to do the whole thing, from the UI in WPF down to the reading and writing to the registry with encrypted keys to attempt to make it a bit more secure.  Alas, the registry is easier to hack than an MSI is, but not by too much.  Still, it should be secure enough to keep honest people honest, and there is enough obscurity to make it so a capable hacker will still have to work at it.
    All that is gold does not glitter, Not all those who wander are lost
    Monday, June 06, 2011 2:14 PM
  • To preventing cracking and piracy is a hard work, we just can say one method would cost cracker more time than before or others, but cannot ensure this way can stop cracking.

    http://social.msdn.microsoft.com/Forums/pl-PL/winforms/thread/aadcf632-27f2-49f3-912e-4bfd9b3d66fd

    And you also can use an encrypt file store the product key, or use a encrypt string store the product key in the registry.

     

    Best wishes,


    Mike [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Tuesday, June 07, 2011 5:12 AM
  • Yeah I have encrypted values in the registry to manage a 30 day trial period as well as product activation.  I have done a few other things that are non-obtrusive to the user and should make life harder for someone who wants to crack my app.  That being said, I am painfully aware of the fact that once you install your code on someone else's machine, the right person will always be able to crack it.  One friend of mine pointed out however that "if you are big enough to be hacked then you know you have arrived."  Perhaps that is right.

    I believe that I have something in place that is hard enough to bypass that it will keep honest people honest, and discourage 90% of those who would try and break it.  That seems to be about as much as you can hope for.


    All that is gold does not glitter, Not all those who wander are lost
    • Marked as answer by DannyStaten Wednesday, June 08, 2011 2:18 PM
    Tuesday, June 07, 2011 2:32 PM
  • Good Luck!

     


    Mike [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Wednesday, June 08, 2011 5:41 AM